edca4962fc2dba5c2b1dd22e4bf1d39bf80ad5b254bbd7a80643f28e6ff25842

Analysis

max time kernel
149s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-13_ce013cfc9ca7ca4b8b645e78e4b50091_goldeneye.exe
Size

192KB
MD5

ce013cfc9ca7ca4b8b645e78e4b50091
SHA1

a0de9de0446b110aa6656dc928dca3a94527d48f
SHA256

edca4962fc2dba5c2b1dd22e4bf1d39bf80ad5b254bbd7a80643f28e6ff25842
SHA512

57328408e6644aa5e6d65285b6ef0a288edb47baeb2dd8f531d0729b041cbb194e053ce797e4a78dfbf616d909e5c03a7e9f2e42e036b1231c65313ca7be51ec
SSDEEP

1536:1EGh0osl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0osl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD65C1F3-3C96-4d13-82C8-FB95FAB8FF0D}	{6EB35C7E-80AD-4bb2-9F6F-8093C3E91A7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{261517C0-6B51-494a-A61F-4CBF2D6B797C}	{73ADEBB3-D22D-4cc9-BFF7-3A5D7D2D5A2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0081BF7F-E2F5-4695-9BBD-79A5398412DF}\stubpath = "C:\\Windows\\{0081BF7F-E2F5-4695-9BBD-79A5398412DF}.exe"	{261517C0-6B51-494a-A61F-4CBF2D6B797C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0DD687B-9FCE-4edc-A07C-09F5C69BD092}\stubpath = "C:\\Windows\\{C0DD687B-9FCE-4edc-A07C-09F5C69BD092}.exe"	{3CF5D9DB-7516-4ebf-824F-5C969AC93BA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EB35C7E-80AD-4bb2-9F6F-8093C3E91A7B}	2024-10-13_ce013cfc9ca7ca4b8b645e78e4b50091_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{415C7FAD-4599-4808-9884-DA1EC28F991A}	{C10714E8-FDBE-4e11-9E27-6EB0195386D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8F0EBC2-A069-47f1-9CF6-16DD251497D6}\stubpath = "C:\\Windows\\{A8F0EBC2-A069-47f1-9CF6-16DD251497D6}.exe"	{415C7FAD-4599-4808-9884-DA1EC28F991A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73ADEBB3-D22D-4cc9-BFF7-3A5D7D2D5A2C}\stubpath = "C:\\Windows\\{73ADEBB3-D22D-4cc9-BFF7-3A5D7D2D5A2C}.exe"	{A8F0EBC2-A069-47f1-9CF6-16DD251497D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D866D222-5265-490f-9DBF-9BE318D2AC35}	{3DDCF0EB-5EAA-4a03-956D-146F1012C57E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D866D222-5265-490f-9DBF-9BE318D2AC35}\stubpath = "C:\\Windows\\{D866D222-5265-490f-9DBF-9BE318D2AC35}.exe"	{3DDCF0EB-5EAA-4a03-956D-146F1012C57E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CF5D9DB-7516-4ebf-824F-5C969AC93BA9}	{D866D222-5265-490f-9DBF-9BE318D2AC35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CF5D9DB-7516-4ebf-824F-5C969AC93BA9}\stubpath = "C:\\Windows\\{3CF5D9DB-7516-4ebf-824F-5C969AC93BA9}.exe"	{D866D222-5265-490f-9DBF-9BE318D2AC35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EB35C7E-80AD-4bb2-9F6F-8093C3E91A7B}\stubpath = "C:\\Windows\\{6EB35C7E-80AD-4bb2-9F6F-8093C3E91A7B}.exe"	2024-10-13_ce013cfc9ca7ca4b8b645e78e4b50091_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD65C1F3-3C96-4d13-82C8-FB95FAB8FF0D}\stubpath = "C:\\Windows\\{CD65C1F3-3C96-4d13-82C8-FB95FAB8FF0D}.exe"	{6EB35C7E-80AD-4bb2-9F6F-8093C3E91A7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C10714E8-FDBE-4e11-9E27-6EB0195386D5}	{CD65C1F3-3C96-4d13-82C8-FB95FAB8FF0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C10714E8-FDBE-4e11-9E27-6EB0195386D5}\stubpath = "C:\\Windows\\{C10714E8-FDBE-4e11-9E27-6EB0195386D5}.exe"	{CD65C1F3-3C96-4d13-82C8-FB95FAB8FF0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8F0EBC2-A069-47f1-9CF6-16DD251497D6}	{415C7FAD-4599-4808-9884-DA1EC28F991A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DDCF0EB-5EAA-4a03-956D-146F1012C57E}	{0081BF7F-E2F5-4695-9BBD-79A5398412DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{415C7FAD-4599-4808-9884-DA1EC28F991A}\stubpath = "C:\\Windows\\{415C7FAD-4599-4808-9884-DA1EC28F991A}.exe"	{C10714E8-FDBE-4e11-9E27-6EB0195386D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73ADEBB3-D22D-4cc9-BFF7-3A5D7D2D5A2C}	{A8F0EBC2-A069-47f1-9CF6-16DD251497D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{261517C0-6B51-494a-A61F-4CBF2D6B797C}\stubpath = "C:\\Windows\\{261517C0-6B51-494a-A61F-4CBF2D6B797C}.exe"	{73ADEBB3-D22D-4cc9-BFF7-3A5D7D2D5A2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0081BF7F-E2F5-4695-9BBD-79A5398412DF}	{261517C0-6B51-494a-A61F-4CBF2D6B797C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DDCF0EB-5EAA-4a03-956D-146F1012C57E}\stubpath = "C:\\Windows\\{3DDCF0EB-5EAA-4a03-956D-146F1012C57E}.exe"	{0081BF7F-E2F5-4695-9BBD-79A5398412DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0DD687B-9FCE-4edc-A07C-09F5C69BD092}	{3CF5D9DB-7516-4ebf-824F-5C969AC93BA9}.exe

Executes dropped EXE 11 IoCs

pid	Process
3908	{6EB35C7E-80AD-4bb2-9F6F-8093C3E91A7B}.exe
4448	{CD65C1F3-3C96-4d13-82C8-FB95FAB8FF0D}.exe
2880	{C10714E8-FDBE-4e11-9E27-6EB0195386D5}.exe
1708	{415C7FAD-4599-4808-9884-DA1EC28F991A}.exe
4976	{A8F0EBC2-A069-47f1-9CF6-16DD251497D6}.exe
3084	{73ADEBB3-D22D-4cc9-BFF7-3A5D7D2D5A2C}.exe
3824	{261517C0-6B51-494a-A61F-4CBF2D6B797C}.exe
2028	{0081BF7F-E2F5-4695-9BBD-79A5398412DF}.exe
4708	{3DDCF0EB-5EAA-4a03-956D-146F1012C57E}.exe
2412	{D866D222-5265-490f-9DBF-9BE318D2AC35}.exe
4332	{C0DD687B-9FCE-4edc-A07C-09F5C69BD092}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6EB35C7E-80AD-4bb2-9F6F-8093C3E91A7B}.exe	2024-10-13_ce013cfc9ca7ca4b8b645e78e4b50091_goldeneye.exe
File created	C:\Windows\{C10714E8-FDBE-4e11-9E27-6EB0195386D5}.exe	{CD65C1F3-3C96-4d13-82C8-FB95FAB8FF0D}.exe
File created	C:\Windows\{73ADEBB3-D22D-4cc9-BFF7-3A5D7D2D5A2C}.exe	{A8F0EBC2-A069-47f1-9CF6-16DD251497D6}.exe
File created	C:\Windows\{3DDCF0EB-5EAA-4a03-956D-146F1012C57E}.exe	{0081BF7F-E2F5-4695-9BBD-79A5398412DF}.exe
File created	C:\Windows\{D866D222-5265-490f-9DBF-9BE318D2AC35}.exe	{3DDCF0EB-5EAA-4a03-956D-146F1012C57E}.exe
File created	C:\Windows\{C0DD687B-9FCE-4edc-A07C-09F5C69BD092}.exe	{3CF5D9DB-7516-4ebf-824F-5C969AC93BA9}.exe
File created	C:\Windows\{CD65C1F3-3C96-4d13-82C8-FB95FAB8FF0D}.exe	{6EB35C7E-80AD-4bb2-9F6F-8093C3E91A7B}.exe
File created	C:\Windows\{415C7FAD-4599-4808-9884-DA1EC28F991A}.exe	{C10714E8-FDBE-4e11-9E27-6EB0195386D5}.exe
File created	C:\Windows\{A8F0EBC2-A069-47f1-9CF6-16DD251497D6}.exe	{415C7FAD-4599-4808-9884-DA1EC28F991A}.exe
File created	C:\Windows\{261517C0-6B51-494a-A61F-4CBF2D6B797C}.exe	{73ADEBB3-D22D-4cc9-BFF7-3A5D7D2D5A2C}.exe
File created	C:\Windows\{0081BF7F-E2F5-4695-9BBD-79A5398412DF}.exe	{261517C0-6B51-494a-A61F-4CBF2D6B797C}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-13_ce013cfc9ca7ca4b8b645e78e4b50091_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CD65C1F3-3C96-4d13-82C8-FB95FAB8FF0D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{415C7FAD-4599-4808-9884-DA1EC28F991A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{73ADEBB3-D22D-4cc9-BFF7-3A5D7D2D5A2C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{261517C0-6B51-494a-A61F-4CBF2D6B797C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6EB35C7E-80AD-4bb2-9F6F-8093C3E91A7B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0081BF7F-E2F5-4695-9BBD-79A5398412DF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3DDCF0EB-5EAA-4a03-956D-146F1012C57E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D866D222-5265-490f-9DBF-9BE318D2AC35}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A8F0EBC2-A069-47f1-9CF6-16DD251497D6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3CF5D9DB-7516-4ebf-824F-5C969AC93BA9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C0DD687B-9FCE-4edc-A07C-09F5C69BD092}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C10714E8-FDBE-4e11-9E27-6EB0195386D5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4556	2024-10-13_ce013cfc9ca7ca4b8b645e78e4b50091_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3908	{6EB35C7E-80AD-4bb2-9F6F-8093C3E91A7B}.exe
Token: SeIncBasePriorityPrivilege	4448	{CD65C1F3-3C96-4d13-82C8-FB95FAB8FF0D}.exe
Token: SeIncBasePriorityPrivilege	2880	{C10714E8-FDBE-4e11-9E27-6EB0195386D5}.exe
Token: SeIncBasePriorityPrivilege	1708	{415C7FAD-4599-4808-9884-DA1EC28F991A}.exe
Token: SeIncBasePriorityPrivilege	4976	{A8F0EBC2-A069-47f1-9CF6-16DD251497D6}.exe
Token: SeIncBasePriorityPrivilege	3084	{73ADEBB3-D22D-4cc9-BFF7-3A5D7D2D5A2C}.exe
Token: SeIncBasePriorityPrivilege	3824	{261517C0-6B51-494a-A61F-4CBF2D6B797C}.exe
Token: SeIncBasePriorityPrivilege	2028	{0081BF7F-E2F5-4695-9BBD-79A5398412DF}.exe
Token: SeIncBasePriorityPrivilege	4708	{3DDCF0EB-5EAA-4a03-956D-146F1012C57E}.exe
Token: SeIncBasePriorityPrivilege	1588	{3CF5D9DB-7516-4ebf-824F-5C969AC93BA9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 3908	4556	2024-10-13_ce013cfc9ca7ca4b8b645e78e4b50091_goldeneye.exe	86
PID 4556 wrote to memory of 3908	4556	2024-10-13_ce013cfc9ca7ca4b8b645e78e4b50091_goldeneye.exe	86
PID 4556 wrote to memory of 3908	4556	2024-10-13_ce013cfc9ca7ca4b8b645e78e4b50091_goldeneye.exe	86
PID 4556 wrote to memory of 1196	4556	2024-10-13_ce013cfc9ca7ca4b8b645e78e4b50091_goldeneye.exe	87
PID 4556 wrote to memory of 1196	4556	2024-10-13_ce013cfc9ca7ca4b8b645e78e4b50091_goldeneye.exe	87
PID 4556 wrote to memory of 1196	4556	2024-10-13_ce013cfc9ca7ca4b8b645e78e4b50091_goldeneye.exe	87
PID 3908 wrote to memory of 4448	3908	{6EB35C7E-80AD-4bb2-9F6F-8093C3E91A7B}.exe	88
PID 3908 wrote to memory of 4448	3908	{6EB35C7E-80AD-4bb2-9F6F-8093C3E91A7B}.exe	88
PID 3908 wrote to memory of 4448	3908	{6EB35C7E-80AD-4bb2-9F6F-8093C3E91A7B}.exe	88
PID 3908 wrote to memory of 3048	3908	{6EB35C7E-80AD-4bb2-9F6F-8093C3E91A7B}.exe	89
PID 3908 wrote to memory of 3048	3908	{6EB35C7E-80AD-4bb2-9F6F-8093C3E91A7B}.exe	89
PID 3908 wrote to memory of 3048	3908	{6EB35C7E-80AD-4bb2-9F6F-8093C3E91A7B}.exe	89
PID 4448 wrote to memory of 2880	4448	{CD65C1F3-3C96-4d13-82C8-FB95FAB8FF0D}.exe	93
PID 4448 wrote to memory of 2880	4448	{CD65C1F3-3C96-4d13-82C8-FB95FAB8FF0D}.exe	93
PID 4448 wrote to memory of 2880	4448	{CD65C1F3-3C96-4d13-82C8-FB95FAB8FF0D}.exe	93
PID 4448 wrote to memory of 4120	4448	{CD65C1F3-3C96-4d13-82C8-FB95FAB8FF0D}.exe	94
PID 4448 wrote to memory of 4120	4448	{CD65C1F3-3C96-4d13-82C8-FB95FAB8FF0D}.exe	94
PID 4448 wrote to memory of 4120	4448	{CD65C1F3-3C96-4d13-82C8-FB95FAB8FF0D}.exe	94
PID 2880 wrote to memory of 1708	2880	{C10714E8-FDBE-4e11-9E27-6EB0195386D5}.exe	96
PID 2880 wrote to memory of 1708	2880	{C10714E8-FDBE-4e11-9E27-6EB0195386D5}.exe	96
PID 2880 wrote to memory of 1708	2880	{C10714E8-FDBE-4e11-9E27-6EB0195386D5}.exe	96
PID 2880 wrote to memory of 684	2880	{C10714E8-FDBE-4e11-9E27-6EB0195386D5}.exe	97
PID 2880 wrote to memory of 684	2880	{C10714E8-FDBE-4e11-9E27-6EB0195386D5}.exe	97
PID 2880 wrote to memory of 684	2880	{C10714E8-FDBE-4e11-9E27-6EB0195386D5}.exe	97
PID 1708 wrote to memory of 4976	1708	{415C7FAD-4599-4808-9884-DA1EC28F991A}.exe	98
PID 1708 wrote to memory of 4976	1708	{415C7FAD-4599-4808-9884-DA1EC28F991A}.exe	98
PID 1708 wrote to memory of 4976	1708	{415C7FAD-4599-4808-9884-DA1EC28F991A}.exe	98
PID 1708 wrote to memory of 5084	1708	{415C7FAD-4599-4808-9884-DA1EC28F991A}.exe	99
PID 1708 wrote to memory of 5084	1708	{415C7FAD-4599-4808-9884-DA1EC28F991A}.exe	99
PID 1708 wrote to memory of 5084	1708	{415C7FAD-4599-4808-9884-DA1EC28F991A}.exe	99
PID 4976 wrote to memory of 3084	4976	{A8F0EBC2-A069-47f1-9CF6-16DD251497D6}.exe	100
PID 4976 wrote to memory of 3084	4976	{A8F0EBC2-A069-47f1-9CF6-16DD251497D6}.exe	100
PID 4976 wrote to memory of 3084	4976	{A8F0EBC2-A069-47f1-9CF6-16DD251497D6}.exe	100
PID 4976 wrote to memory of 1848	4976	{A8F0EBC2-A069-47f1-9CF6-16DD251497D6}.exe	101
PID 4976 wrote to memory of 1848	4976	{A8F0EBC2-A069-47f1-9CF6-16DD251497D6}.exe	101
PID 4976 wrote to memory of 1848	4976	{A8F0EBC2-A069-47f1-9CF6-16DD251497D6}.exe	101
PID 3084 wrote to memory of 3824	3084	{73ADEBB3-D22D-4cc9-BFF7-3A5D7D2D5A2C}.exe	102
PID 3084 wrote to memory of 3824	3084	{73ADEBB3-D22D-4cc9-BFF7-3A5D7D2D5A2C}.exe	102
PID 3084 wrote to memory of 3824	3084	{73ADEBB3-D22D-4cc9-BFF7-3A5D7D2D5A2C}.exe	102
PID 3084 wrote to memory of 636	3084	{73ADEBB3-D22D-4cc9-BFF7-3A5D7D2D5A2C}.exe	103
PID 3084 wrote to memory of 636	3084	{73ADEBB3-D22D-4cc9-BFF7-3A5D7D2D5A2C}.exe	103
PID 3084 wrote to memory of 636	3084	{73ADEBB3-D22D-4cc9-BFF7-3A5D7D2D5A2C}.exe	103
PID 3824 wrote to memory of 2028	3824	{261517C0-6B51-494a-A61F-4CBF2D6B797C}.exe	104
PID 3824 wrote to memory of 2028	3824	{261517C0-6B51-494a-A61F-4CBF2D6B797C}.exe	104
PID 3824 wrote to memory of 2028	3824	{261517C0-6B51-494a-A61F-4CBF2D6B797C}.exe	104
PID 3824 wrote to memory of 3700	3824	{261517C0-6B51-494a-A61F-4CBF2D6B797C}.exe	105
PID 3824 wrote to memory of 3700	3824	{261517C0-6B51-494a-A61F-4CBF2D6B797C}.exe	105
PID 3824 wrote to memory of 3700	3824	{261517C0-6B51-494a-A61F-4CBF2D6B797C}.exe	105
PID 2028 wrote to memory of 4708	2028	{0081BF7F-E2F5-4695-9BBD-79A5398412DF}.exe	106
PID 2028 wrote to memory of 4708	2028	{0081BF7F-E2F5-4695-9BBD-79A5398412DF}.exe	106
PID 2028 wrote to memory of 4708	2028	{0081BF7F-E2F5-4695-9BBD-79A5398412DF}.exe	106
PID 2028 wrote to memory of 872	2028	{0081BF7F-E2F5-4695-9BBD-79A5398412DF}.exe	107
PID 2028 wrote to memory of 872	2028	{0081BF7F-E2F5-4695-9BBD-79A5398412DF}.exe	107
PID 2028 wrote to memory of 872	2028	{0081BF7F-E2F5-4695-9BBD-79A5398412DF}.exe	107
PID 4708 wrote to memory of 2412	4708	{3DDCF0EB-5EAA-4a03-956D-146F1012C57E}.exe	108
PID 4708 wrote to memory of 2412	4708	{3DDCF0EB-5EAA-4a03-956D-146F1012C57E}.exe	108
PID 4708 wrote to memory of 2412	4708	{3DDCF0EB-5EAA-4a03-956D-146F1012C57E}.exe	108
PID 4708 wrote to memory of 4392	4708	{3DDCF0EB-5EAA-4a03-956D-146F1012C57E}.exe	109
PID 4708 wrote to memory of 4392	4708	{3DDCF0EB-5EAA-4a03-956D-146F1012C57E}.exe	109
PID 4708 wrote to memory of 4392	4708	{3DDCF0EB-5EAA-4a03-956D-146F1012C57E}.exe	109
PID 1588 wrote to memory of 4332	1588	{3CF5D9DB-7516-4ebf-824F-5C969AC93BA9}.exe	112
PID 1588 wrote to memory of 4332	1588	{3CF5D9DB-7516-4ebf-824F-5C969AC93BA9}.exe	112
PID 1588 wrote to memory of 4332	1588	{3CF5D9DB-7516-4ebf-824F-5C969AC93BA9}.exe	112
PID 1588 wrote to memory of 3524	1588	{3CF5D9DB-7516-4ebf-824F-5C969AC93BA9}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-10-13_ce013cfc9ca7ca4b8b645e78e4b50091_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-13_ce013cfc9ca7ca4b8b645e78e4b50091_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Windows\{6EB35C7E-80AD-4bb2-9F6F-8093C3E91A7B}.exe
  C:\Windows\{6EB35C7E-80AD-4bb2-9F6F-8093C3E91A7B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\{CD65C1F3-3C96-4d13-82C8-FB95FAB8FF0D}.exe
    C:\Windows\{CD65C1F3-3C96-4d13-82C8-FB95FAB8FF0D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Windows\{C10714E8-FDBE-4e11-9E27-6EB0195386D5}.exe
      C:\Windows\{C10714E8-FDBE-4e11-9E27-6EB0195386D5}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Windows\{415C7FAD-4599-4808-9884-DA1EC28F991A}.exe
        
        C:\Windows\{415C7FAD-4599-4808-9884-DA1EC28F991A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
      - C:\Windows\{A8F0EBC2-A069-47f1-9CF6-16DD251497D6}.exe
        
        C:\Windows\{A8F0EBC2-A069-47f1-9CF6-16DD251497D6}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\{73ADEBB3-D22D-4cc9-BFF7-3A5D7D2D5A2C}.exe
        
        C:\Windows\{73ADEBB3-D22D-4cc9-BFF7-3A5D7D2D5A2C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\{261517C0-6B51-494a-A61F-4CBF2D6B797C}.exe
        
        C:\Windows\{261517C0-6B51-494a-A61F-4CBF2D6B797C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\{0081BF7F-E2F5-4695-9BBD-79A5398412DF}.exe
        
        C:\Windows\{0081BF7F-E2F5-4695-9BBD-79A5398412DF}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\{3DDCF0EB-5EAA-4a03-956D-146F1012C57E}.exe
        
        C:\Windows\{3DDCF0EB-5EAA-4a03-956D-146F1012C57E}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\{D866D222-5265-490f-9DBF-9BE318D2AC35}.exe
        
        C:\Windows\{D866D222-5265-490f-9DBF-9BE318D2AC35}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\{3CF5D9DB-7516-4ebf-824F-5C969AC93BA9}.exe
        
        C:\Windows\{3CF5D9DB-7516-4ebf-824F-5C969AC93BA9}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\{C0DD687B-9FCE-4edc-A07C-09F5C69BD092}.exe
        
        C:\Windows\{C0DD687B-9FCE-4edc-A07C-09F5C69BD092}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CF5D~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D866D~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DDCF~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0081B~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26151~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73ADE~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8F0E~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1848
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{415C7~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5084
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1071~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CD65C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6EB35~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0081BF7F-E2F5-4695-9BBD-79A5398412DF}.exe

Filesize
192KB

MD5
3c1cad860abf0b1383dac29218455056

SHA1
3b8494e0805d6d277b238e355741c8aad65fde93

SHA256
c2803b01cec2ec4f7d2236c3528258e18f528b7beef923dd298685e9ae8cf3cc

SHA512
12d7d694ccd4553d6fba01d89ef03407df7e6a327cb4be4975365e39cb38f5ea6150980a0e70dab1397cbc8f5af9fdda3103d6f4b413427cbec6c036150f1abc

Download Submit
C:\Windows\{261517C0-6B51-494a-A61F-4CBF2D6B797C}.exe

Filesize
192KB

MD5
93d7067598c68504d3bc48009a7ffa4d

SHA1
9a3b01e332ec8fa0b46b01e9bb853c35fc0ca8e4

SHA256
a7c8f192c494b3c7af450939d2406c172fb00caae0df81b205b294a7f04ac11d

SHA512
6d80a125bb8be155ec54a6f54e2cf713cb3cc316216d13632316b0e1a8929980e94c65860236452b6207d72fa13cf4f98ed7268c377eaf61fc7e6bedbb33ef37

Download Submit
C:\Windows\{3DDCF0EB-5EAA-4a03-956D-146F1012C57E}.exe

Filesize
192KB

MD5
727b8e48b44a1fcbb27b5f4d24594344

SHA1
5d4304b3ced0cde111337a38caae1bdc3dc7c310

SHA256
a3ca8a253febf77e9f4c040fbec0ed166f4b10edd8a7f030f7779fe3269ca273

SHA512
0a67fca5e4964e56bf8bb9347637beb0ef3395e3d881ba385dedf2afb9c35a011f8a0b21b1abd0b2b6cfb5abadb92e18c93eac53c56564b981e406e42dfb608f

Download Submit
C:\Windows\{415C7FAD-4599-4808-9884-DA1EC28F991A}.exe

Filesize
192KB

MD5
9856214ebf4ea8b66534e344003216a0

SHA1
9ac33031ca888db11371c9a598bc43dac1b3c715

SHA256
020faa6284d2101c946482c9e3e227c00631c41be4dfb2b8e26c6c544338a1d8

SHA512
0492023c82f7888610231684fafbae75471af3b1b73eefed1c05a5225773a8381c220aae09ca3ea579fe141fdbbc421b007d3d4d9d62b497a6bd38a23c2a7808

Download Submit
C:\Windows\{6EB35C7E-80AD-4bb2-9F6F-8093C3E91A7B}.exe

Filesize
192KB

MD5
c082264a22dd1f412edac6d746ee7f47

SHA1
3a5c6474e6344d9770afb2cbcf186ed414fed6bd

SHA256
cda6c34849b1531196e80f6c1c8879fc7e827771cf0d80814d6fe1bac7dcbab0

SHA512
6f396ba493dd17e9d4c09755275880cac7de5fbda669edd6950ef7ed92d46033d4c8ae5704b166de5564975d18246c72954a337f43838589d3ba7d9d4df1c559

Download Submit
C:\Windows\{73ADEBB3-D22D-4cc9-BFF7-3A5D7D2D5A2C}.exe

Filesize
192KB

MD5
055ae761eac6391aba09271215ac6ba6

SHA1
14b015ef4c6eddfa0573110688f182f714f7c44b

SHA256
b64be55a7187541dd863a25ebc02bb0d7b6fcd695fd29fbfa7aaff8dc8e2fac7

SHA512
86e32dcc69bfc221cbd685e2cdf732ce34dd18b469ae487d77e9982c2133048f80d6b4419de13bc606344ae72236af8bdbe6ca2cbd687f193f500f6aa15a0c69

Download Submit
C:\Windows\{A8F0EBC2-A069-47f1-9CF6-16DD251497D6}.exe

Filesize
192KB

MD5
1375b04cf5973bf0a6dccecef2a8d7fc

SHA1
aa15e0910df2a24edae4d914f93e4e0d0f42b50a

SHA256
e9f27102cacb8530c18a6cc5ab674cf7e283cf1e05383899fbe1f9059a3519a6

SHA512
ec3cf754710f069bbbb982bd37436ccde5a6f84d5bf87a3904ab198701d8ba1aa06ace740bdd593aa8cb4ee2f0a54a75d4a85e8a01e1091a39db78ab81d90eb1

Download Submit
C:\Windows\{C0DD687B-9FCE-4edc-A07C-09F5C69BD092}.exe

Filesize
192KB

MD5
ea03aa1130d8b7836c3d2c1b0a973eef

SHA1
901d4b07f273a165884cda71b03d7ef10982dc96

SHA256
0b618b8dc075a6d4ce271a08a6cbd438cad8dcfde613914af03dd31533b73591

SHA512
b73e5933004b9801d3cf88aebafb5e308595e98727cd1f12db68d4fb6a3406abf0f4d54c80b262518a2f53e82dd533c3614b5f949ae84d5193434603d6146a7e

Download Submit
C:\Windows\{C10714E8-FDBE-4e11-9E27-6EB0195386D5}.exe

Filesize
192KB

MD5
22143f6934c554438d8530ae07394ca8

SHA1
2b978558c088795c2b1c0047935c74aabb4bb4c3

SHA256
b88b6ccf3506f920e3fbdb1cb80bdfe03232a1a855adc0abc6b8b77af44f9198

SHA512
7b0e3fc1256cd670c7f625c7b7acb82bf1f0bf98bbd303192f6ccaa4b3a7565224f2b0a832a559c25c68e4d8fe3cfc063250372322ca7d01c547afab40da5979

Download Submit
C:\Windows\{CD65C1F3-3C96-4d13-82C8-FB95FAB8FF0D}.exe

Filesize
192KB

MD5
c8cc5ac32058a4d76c59c5cd04efeabf

SHA1
22f0200ed2a3286a58146d60aa3bdc24dcebc392

SHA256
c4b01962e05cd79398a4c0a9419dcbc483898d04853f609adf7ced17a4672203

SHA512
bdd5d62e5db86914910017174a8e82c393ded443525bd744990f5d4c14008a8179600f8cf16d194a7309d0c8f57db195c68dfefcf1fd64e3205fd6c11a57df8e

Download Submit
C:\Windows\{D866D222-5265-490f-9DBF-9BE318D2AC35}.exe

Filesize
192KB

MD5
339897f4227a1c205e36235bf7fd17cd

SHA1
fdb107e061866c9df259791a2ffc336e69cecce7

SHA256
ca311274f295407bc55ef6e1aa68596d2c907b0465a838a41728ce88645600c3

SHA512
4d9291084f8e62b461286b5aba3fe00c3b8a906e1e8a474b297224a3d6d9065a69febc6c7af4f5fe878e6110f4ed2f0efb80c63e5d4523d3860a7e91a610fff6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads